The actual cost of data compliance implementation, and potential for loss of data for individual companies is not possible to calculate without detailed analysis, but it is important to prepare for the new law because even for SMEs there is a lot of work to do to be able to keep and use vital information. The better the preparation the less impact it will have on sales performance. There is no shortage of cost estimates designed to act as guidelines to being ready.
A report for the Information Commissioners Office (ICO) reveals that 87% of companies are unable to calculate the amount compliance preparation will cost, and 82% of the 506 companies surveyed that said they are unaware of their current spending on existing compliance rules.
One responder to the survey predicted that GDPR would cost their company £5 million to become compliant, and £1 million a year to maintain it. The Ministry of Justice produced research of its own that concludes the cost to UK business could be as high as £320 million a year, and £2.1 billion over fourteen years. This is countered by the understanding that greater emphasis on compliance regulations will save between £42m and £124m in fines.
A sizable minority believes there are no financial implication of any kind in preparing for GDPR. For such companies something to bear in mind is that a representative of the ICO said recently that there would be leeway for companies and other organisations that have made a recognisable attempt to be GDPR compliant, but not succeeded. Token efforts would not count.
Some companies will need to appoint a data protection officer, who will cost between £50,000 and £75,000 annually, and for UK businesses of all types a total of £229 million. For SMEs it could add £182 million to salaries, and for larger companies £47 million.
The EU itself predicts the cost to European business will be £580m, and there will be a £2bn administration saving because multiple national data rules will no longer exist. This ignores the fact that regulatory authorities in each European country will have leeway to enforce and apply sanctions as they see fit, meaning pan European brand owners will still contend with different regulatory regimes with their own interpretations of the law.
Consumer facing financial companies are estimated to have to pay between £100,000 and 500,000 to become compliant, but just as important is the loss of revenue created by a failure to obtain the new higher level of opt in consent from consumers, which will lead to losses of revenue running into millions.
Other big data users, such as the utility, grocery, e-commerce and IT sectors will also face major compliance challenges. The report claims charities and membership organisations may find fundraising impossible, and extra revenue will have to be found by them to cover a necessary increase in telemarketing.
In the data sector itself the Direct Marketing Association believes tighter regulations on consent could lead to a 50% fall in turnover for list brokers, and a similar drop in business for data cleaning services.
Data companies could face a one off cost of £500,000 for system development in order to meet consumers ‘Right to be forgotten’ and subject access fees. Data portability will cost another £100,000 in system changes.
Digital advertisers still require clarification on how pseudonymous data will be treated within GDPR. If the law goes against their interests the Internet Advertising Bureau believes there will be a £633 million a year loss in advertising revenue.
Most companies that employ 250 people or more, and those with more than 100,000 consumer data files, already have a job position focused on compliance. The cost to train them on GDPR will be £7,600.
Whatever the costs will really be the cheapest way to tackle GDPR is to start preparing as soon as possible. The later it is left the more expensive and disruptive it will be, and the 14 months in which to prepare will not be enough for some companies.
After December 2017 the ICO could come knocking at anytime, plus members of the public may be given the right to claim damages for misuse of their information. A PPI style claims bonanza is something data users could do without. But it will be sales figures that will be the final arbiter of the impact the new law has, and with only 16 months to go preparing sooner rather than later is the key factor.